sharing ghost variables in a collection of
play

Sharing Ghost Variables in a Collection of In a Reduced Product - PowerPoint PPT Presentation

Sharing Ghost Variables in a Collection of Abstract Domains Marc Chevalier J er ome Feret Problems Sharing Ghost Variables in a Collection of In a Reduced Product Abstract Domains Discussion Marc Chevalier J er ome Feret DI ENS,


  1. Sharing Ghost Variables in a Collection of Abstract Domains Marc Chevalier J´ erˆ ome Feret Problems Sharing Ghost Variables in a Collection of In a Reduced Product Abstract Domains Discussion Marc Chevalier J´ erˆ ome Feret DI ENS, INRIA, PSL, Paris, France VMCAI 2020 1 / 22

  2. Sharing Ghost Variables in a Collection of Abstract Domains Marc Chevalier J´ erˆ ome Feret Problems Problems In a Reduced Product Discussion In a Reduced Product Discussion 2 / 22

  3. Sharing Ghost Variables in a Collection of Abstract Domains Marc Chevalier J´ erˆ ome Feret Problems Problems A Big Stack A Problem Ghost Variables to the Rescue Another Problem Building a Domain with Ghost Variables In a Reduced Product A Bigger Problem In a Reduced Product Discussion Discussion 3 / 22

  4. Sharing Ghost Variables A Big Stack in a Collection of Abstract Domains Marc Chevalier J´ erˆ ome Feret To certify software systems, we have to consider: Problems ◮ End-user software (more classical) A Big Stack A Problem Ghost Variables to the Rescue ◮ Libraries Another Problem Building a Domain with Ghost ◮ Runtime environment Variables A Bigger Problem ◮ Operating system (here I work) In a Reduced Product Discussion ◮ Hypervisor ◮ Hardware ◮ Physics The operating system layer is the place of terrible low level operations. 4 / 22

  5. Sharing Ghost Variables A Problem in a Collection of Abstract Domains Marc Chevalier J´ erˆ ome Feret Problems int something_interesting = ...; A Big Stack 1 A Problem int low = something_interesting & 0x0000ffff; Ghost Variables to the Rescue 2 Another Problem int high = something_interesting >> 16; Building a Domain with Ghost 3 Variables ... // complex computations A Bigger Problem 4 In a Reduced Product int rebuilt = low | high << 16; 5 Discussion (With enough assumptions:) something interesting = rebuilt 5 / 22

  6. Sharing Ghost Variables Ghost Variables to the Rescue in a Collection of Abstract Domains Marc Chevalier J´ erˆ ome Feret int something_interesting = ...; 1 Problems int low = something_interesting & 0x0000ffff; 2 A Big Stack A Problem ... 3 Ghost Variables to the Rescue Another Problem Building a Domain with Ghost Variables A Bigger Problem In a Reduced Product low = S lice [0 , 15] → [0 , 15] ( low )[0 , 15] 0 Discussion 0 15 16 31 where ◮ S lice [0 , 15] → [0 , 15] ( low ) is a ghost variable. ◮ S lice [0 , 15] → [0 , 15] ( low ) := something interesting 6 / 22

  7. Sharing Ghost Variables Another Problem in a Collection of Abstract Domains Marc Chevalier J´ erˆ ome Feret Problems A Big Stack int something_interesting_2 = ..., noise = ...; A Problem 1 Ghost Variables to the Rescue int noisy = something_interesting_2 + noise; 2 Another Problem Building a Domain with Ghost ... Variables 3 A Bigger Problem int clean = noisy - noise; 4 In a Reduced Product Discussion (With enough assumptions:) something interesting 2 = clean 7 / 22

  8. Sharing Ghost Variables Building a Domain with Ghost Variables in a Collection of Abstract Domains Marc Chevalier J´ erˆ ome Feret Problems A Big Stack Theoretically: A Problem . Ghost Variables to the Rescue . . Parametric domain. Another Problem Building a Domain with Ghost Variables Slices D A Bigger Problem Slices In a Reduced Product Implementation: Discussion Dependency injection. Underlying domain (Objects, templates, functors...) 8 / 22

  9. Sharing Ghost Variables A Bigger Problem in a Collection of Abstract Domains Linear combinations of slices: Marc Chevalier J´ erˆ ome Feret int* p = ...; Slices of linear combinations: 1 Problems int* n = ...; 2 A Big Stack int* p = ...; A Problem 1 int* n2 = ....; Ghost Variables to the Rescue 3 int* q = ...; 2 Another Problem int l = p & 0xffff; 4 Building a Domain with Ghost int* r = p + q; Variables 3 int h = p << 16; A Bigger Problem 5 int l = r & 0xffff; 4 In a Reduced Product int a = l + n; 6 int h = r << 16; Discussion 5 int b = h + n2; 7 ... // kill r and p 6 ... // kill p, l and h 8 int* r2 = l | h >> 16; 7 int l2 = a - n; 9 int* p2 = r2 - q; 8 int h2 = b - n2; 10 int* p2 = l2 | h2 >> 16; 11 (It happens... really) Thus any domain should be aware of everybody helping variables. 9 / 22

  10. Sharing Ghost Variables in a Collection of Abstract Domains Marc Chevalier J´ erˆ ome Feret Problems Problems In a Reduced Product Astr´ ee on the Inside The New Product in Action More? Some Legitimate Concerns: Soundness In a Reduced Product Some Legitimate Concerns: Termination Discussion Discussion 10 / 22

  11. Sharing Ghost Variables Astr´ ee on the Inside in a Collection of Abstract Domains Marc Chevalier J´ erˆ ome Feret . . Problems . In a Reduced Product Astr´ ee on the Inside Downsides The New Product in Action Struct domain More? ◮ Variables ids are handled by Some Legitimate Concerns: Soundness Some Legitimate Concerns: Struct domain: missing ids for Termination Pointers domain Discussion ghost variables. ◮ There is no way to add another Pointer-like domain. A product of numerical domains 11 / 22

  12. Sharing Ghost Variables Astr´ ee on the Inside – Reduced Product in a Collection of Abstract Domains Marc Chevalier J´ erˆ ome Feret Given ( D ♯ 1 , ⊆ ♯ 1 ) , ( D ♯ 2 , ⊆ ♯ 2 ), abstract domains for the same concrete Problems domain. In a Reduced Product Astr´ ee on the Inside The New Product in Action Product: D ♯ 1 × 2 = D ♯ 1 × D ♯ More? 2 with pointwise operations. Some Legitimate Concerns: Soundness γ 1 × 2 ( a 1 , a 2) = γ 1 ( a 1 ) ∩ γ 2 ( a 2 ) Some Legitimate Concerns: Termination Discussion ρ ( a 1 , a 2 ) = ( b 1 , b 2 ) with γ 1 × 2 ( a 1 , a 2) ⊆ γ 1 × 2 ( b 1 , b 2) (sound) b 1 ⊆ ♯ 1 a 1 ∧ b 2 ⊆ ♯ Morally: (better) 2 a 2 12 / 22

  13. Sharing Ghost Variables Astr´ ee on the Inside in a Collection of Abstract Domains . . Marc Chevalier . J´ erˆ ome Feret New combinator for pointers do- Problems mains: Struct domain In a Reduced Product Astr´ ee on the Inside ◮ Id translation by The New Product in Action More? Pointer-adapter. Pointer-adapter Some Legitimate Concerns: Soundness Some Legitimate Concerns: ◮ Can add domains for pointer Termination Discussion slices, linear combinations. . . . New combinator ◮ Cleaner interfaces. ◮ Each domain can ask Numerical-adapter Pointers everybody to store a ghost variable and do computations on it. Product of numerical domains 13 / 22

  14. Sharing Ghost Variables The New Product in Action in a Collection of Abstract Domains Marc Chevalier . J´ erˆ ome Feret . int a[4], *p, *q; . 1 Problems p = &a[0]; 2 In a Reduced Product q = p + 1; 3 Astr´ ee on the Inside Pointer-adapter The New Product in Action More? Before line 3: Some Legitimate Concerns: Soundness p points to a , with 0 offset. New combinator Some Legitimate Concerns: Termination Offset stored in ghost variable o p . Discussion ◮ Numerical: o p = 0 Numerical-adapter Pointers ◮ Pointers: p = a + o p Numerical domains 14 / 22

  15. Sharing Ghost Variables The New Product in Action in a Collection of Abstract Domains Marc Chevalier . J´ erˆ ome Feret . int a[4], *p, *q; . 1 Problems p = &a[0]; 2 In a Reduced Product q = p + 1; 3 Astr´ ee on the Inside Pointer-adapter The New Product in Action More? q ← p + 1: Some Legitimate Concerns: Soundness New combinator Some Legitimate Concerns: In numerical domains Termination Discussion p = ⊤ Numerical-adapter Pointers ⇓ q = ⊤ Numerical domains 14 / 22

  16. Sharing Ghost Variables The New Product in Action in a Collection of Abstract Domains Marc Chevalier . J´ erˆ ome Feret . int a[4], *p, *q; . 1 Problems p = &a[0]; 2 In a Reduced Product q = p + 1; 3 Astr´ ee on the Inside Pointer-adapter The New Product in Action More? q ← p + 1: Some Legitimate Concerns: Soundness New combinator Some Legitimate Concerns: In pointer domain Termination Discussion p = a + o p Numerical-adapter Pointers ⇓ Need new offset o q and according to the semantics: o q ← o p + 1 × 4 Numerical domains context 14 / 22

  17. Sharing Ghost Variables The New Product in Action in a Collection of Abstract Domains Marc Chevalier . J´ erˆ ome Feret . int a[4], *p, *q; . 1 Problems p = &a[0]; 2 In a Reduced Product q = p + 1; 3 Astr´ ee on the Inside Pointer-adapter The New Product in Action More? o q ← o p + 1 × 4: Some Legitimate Concerns: Soundness New combinator Some Legitimate Concerns: In numerical domains Termination Discussion o p = 0 Numerical-adapter Pointers ⇓ o q = 4 Numerical domains 14 / 22

  18. Sharing Ghost Variables The New Product in Action in a Collection of Abstract Domains Marc Chevalier . J´ erˆ ome Feret . int a[4], *p, *q; . 1 Problems p = &a[0]; 2 In a Reduced Product q = p + 1; 3 Astr´ ee on the Inside Pointer-adapter The New Product in Action More? o q ← o p + 1 × 4: Some Legitimate Concerns: Soundness New combinator Some Legitimate Concerns: In pointer domain Termination Discussion o p ∈ NUM Numerical-adapter Pointers ⇓ o q ∈ NUM Numerical domains 14 / 22

Recommend


More recommend